
<!DOCTYPE HTML>
<html lang="" >
    <head>
        <meta charset="UTF-8">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <title>Introduction · GitBook</title>
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="description" content="">
        <meta name="generator" content="GitBook 3.2.3">
        
        
        
    
    <link rel="stylesheet" href="gitbook/style.css">

    
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css">
                
            
        

    

    
        
    
        
    
        
    
        
    
        
    
        
    

        
    
    
    <meta name="HandheldFriendly" content="true"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png">
    <link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon">

    
    <link rel="next" href="posts/the-format-of-tcpdump-command.html" />
    
    

    </head>
    <body>
        
<div class="book">
    <div class="book-summary">
        
            
<div id="book-search-input" role="search">
    <input type="text" placeholder="Type to search" />
</div>

            
                <nav role="navigation">
                


<ul class="summary">
    
    

    

    
        
        
    
        <li class="chapter active" data-level="1.1" data-path="./">
            
                <a href="./">
            
                    
                    Introduction
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="posts/the-format-of-tcpdump-command.html">
            
                <a href="posts/the-format-of-tcpdump-command.html">
            
                    
                    The format of tcpdump command
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="posts/show-help-and-version-info.html">
            
                <a href="posts/show-help-and-version-info.html">
            
                    
                    Show help & version info
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4" data-path="posts/print-less-protocol-information.html">
            
                <a href="posts/print-less-protocol-information.html">
            
                    
                    Print less protocol information
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.5" data-path="posts/print-verbose-output.html">
            
                <a href="posts/print-verbose-output.html">
            
                    
                    Print verbose output
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.6" data-path="posts/specify-how-to-interpret-packet.html">
            
                <a href="posts/specify-how-to-interpret-packet.html">
            
                    
                    Specify how to interpret packet
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7" data-path="posts/specify-network-interfaces.html">
            
                <a href="posts/specify-network-interfaces.html">
            
                    
                    Specify network interfaces
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.8" data-path="posts/read-filter-expression-from-file.html">
            
                <a href="posts/read-filter-expression-from-file.html">
            
                    
                    Read filter expression from file
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.9" data-path="posts/save-packets-into-file.html">
            
                <a href="posts/save-packets-into-file.html">
            
                    
                    Save packets into file
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.10" data-path="posts/rotate-capture-files.html">
            
                <a href="posts/rotate-capture-files.html">
            
                    
                    Rotate capture files
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.11" data-path="posts/parse-and-print-packets.html">
            
                <a href="posts/parse-and-print-packets.html">
            
                    
                    Parse and print packets
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.12" data-path="posts/print-autonomous-system-number-in-asdot-notation.html">
            
                <a href="posts/print-autonomous-system-number-in-asdot-notation.html">
            
                    
                    Print Autonomous System Number in ASDOT notation
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.13" data-path="posts/print-absolute-tcp-sequence-number.html">
            
                <a href="posts/print-absolute-tcp-sequence-number.html">
            
                    
                    Print absolute TCP sequence number
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.14" data-path="posts/set-capture-buffer-size.html">
            
                <a href="posts/set-capture-buffer-size.html">
            
                    
                    Set capture buffer size
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.15" data-path="posts/set-snapshot-length.html">
            
                <a href="posts/set-snapshot-length.html">
            
                    
                    Set snapshot length
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.16" data-path="posts/capture-packets-for-specified-direction.html">
            
                <a href="posts/capture-packets-for-specified-direction.html">
            
                    
                    Capture packets for specified direction
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.17" data-path="posts/limit-capture-packet-count.html">
            
                <a href="posts/limit-capture-packet-count.html">
            
                    
                    Limit capture packet count
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.18" data-path="posts/display-serial-number-for-every-capture-packet.html">
            
                <a href="posts/display-serial-number-for-every-capture-packet.html">
            
                    
                    Display serial number for every capture packet
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.19" data-path="posts/dump-compiled-bpf-program.html">
            
                <a href="posts/dump-compiled-bpf-program.html">
            
                    
                    Dump compiled BPF program
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.20" data-path="posts/dont-optimize-bpf-program.html">
            
                <a href="posts/dont-optimize-bpf-program.html">
            
                    
                    Don't optimize BPF program
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.21" data-path="posts/print-link-level-header.html">
            
                <a href="posts/print-link-level-header.html">
            
                    
                    Print link level header
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.22" data-path="posts/list-and-set-data-link-type.html">
            
                <a href="posts/list-and-set-data-link-type.html">
            
                    
                    List and set data link type
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.23" data-path="posts/dont-convert-address-to-name.html">
            
                <a href="posts/dont-convert-address-to-name.html">
            
                    
                    Don't convert address to name
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.24" data-path="posts/dont-translate-foreign-ipv4-address.html">
            
                <a href="posts/dont-translate-foreign-ipv4-address.html">
            
                    
                    Don't translate foreign IPv4 address
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.25" data-path="posts/dont-print-domain-name-qualification-of-host-names.html">
            
                <a href="posts/dont-print-domain-name-qualification-of-host-names.html">
            
                    
                    Don't print domain name qualification of host names
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.26" data-path="posts/output-line-buffered-or-packet-buffered.html">
            
                <a href="posts/output-line-buffered-or-packet-buffered.html">
            
                    
                    Output line-buffered or packet-buffered
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.27" data-path="posts/set-timestamp-type-and-precision-during-capture.html">
            
                <a href="posts/set-timestamp-type-and-precision-during-capture.html">
            
                    
                    Set timestamp type and precision during capture
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.28" data-path="posts/control-timestamp-display.html">
            
                <a href="posts/control-timestamp-display.html">
            
                    
                    Control timestamp display
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.29" data-path="posts/set-monitor-mode-for-interface.html">
            
                <a href="posts/set-monitor-mode-for-interface.html">
            
                    
                    Set monitor mode for interface
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.30" data-path="posts/capture-packets-in-immediate-mode.html">
            
                <a href="posts/capture-packets-in-immediate-mode.html">
            
                    
                    Capture packets in immediate mode
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.31" data-path="posts/dont-verify-tcp-udp-or-ip-checksums.html">
            
                <a href="posts/dont-verify-tcp-udp-or-ip-checksums.html">
            
                    
                    Don't verify TCP, UDP or IP checksums
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.32" data-path="posts/dont-put-the-interface-into-promiscuous-mode.html">
            
                <a href="posts/dont-put-the-interface-into-promiscuous-mode.html">
            
                    
                    Don't put the interface into promiscuous mode
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.33" data-path="posts/relinquish-privileges-when-running-tcpdump.html">
            
                <a href="posts/relinquish-privileges-when-running-tcpdump.html">
            
                    
                    Relinquish privileges when running tcpdump
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.34" data-path="posts/verify-cryptographic-signature-of-the-tcp-packet.html">
            
                <a href="posts/verify-cryptographic-signature-of-the-tcp-packet.html">
            
                    
                    Verify cryptographic signature of the TCP packet
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.35" data-path="posts/load-smi-mib-module.html">
            
                <a href="posts/load-smi-mib-module.html">
            
                    
                    Load SMI MIB module
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.36" data-path="posts/print-undecoded-nfs-handles.html">
            
                <a href="posts/print-undecoded-nfs-handles.html">
            
                    
                    Print undecoded NFS handles
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.37" data-path="posts/detect-802-11-s-mesh-header.html">
            
                <a href="posts/detect-802-11-s-mesh-header.html">
            
                    
                    Detect 802.11s mesh header
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.38" data-path="posts/decrypt-ipsec-esp-packets.html">
            
                <a href="posts/decrypt-ipsec-esp-packets.html">
            
                    
                    Decrypt IPSec ESP packets
            
                </a>
            

            
        </li>
    

    

    <li class="divider"></li>

    <li>
        <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
            Published with GitBook
        </a>
    </li>
</ul>


                </nav>
            
        
    </div>

    <div class="book-body">
        
            <div class="body-inner">
                
                    

<div class="book-header" role="navigation">
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href="." >Introduction</a>
    </h1>
</div>




                    <div class="page-wrapper" tabindex="-1" role="main">
                        <div class="page-inner">
                            
<div id="book-search-results">
    <div class="search-noresults">
    
                                <section class="normal markdown-section">
                                
                                <h1 id="tcpdump-little-book">Tcpdump little book</h1>
<p><a href="https://www.tcpdump.org/" target="_blank">Tcpdump</a> is a very powerful command line tool to analyze network packets on <code>Unix-like</code> Operating Systems; it is indispensable for debugging network related issues. Run <code>tcpdump</code> in your terminal:  </p>
<pre><code># tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:41.148740 IP6 fe80::846b:2555:fb41:1fa8.dhcpv6-client &gt; ff02::1:2.dhcpv6-server: dhcp6 solicit
08:57:41.208960 IP archlinux.ssh &gt; 10.217.133.206.55977: Flags [P.], seq 687245846:687246034, ack 4010852751, win 501, length 188
......
</code></pre><p>Without any options and expression, <code>tcpdump</code> works in a live-capture mode (the source code is <a href="https://github.com/the-tcpdump-group/tcpdump/blob/e6eab7bccfbf8fe9c386e16a9c5441e7a57066ae/tcpdump.c#L2024" target="_blank">here</a>):  </p>
<pre><code>......
        /*
         * We&apos;re doing a live capture.
         */
        if (device == NULL) {
            /*
             * No interface was specified.  Pick one.
             */
#ifdef HAVE_PCAP_FINDALLDEVS
            /*
             * Find the list of interfaces, and pick
             * the first interface.
             */
            if (pcap_findalldevs(&amp;devlist, ebuf) == -1)
                error(&quot;%s&quot;, ebuf);
            if (devlist == NULL)
                error(&quot;no interfaces available for capture&quot;);
            device = strdup(devlist-&gt;name);
            pcap_freealldevs(devlist);
#else /* HAVE_PCAP_FINDALLDEVS */
            /*
             * Use whatever interface pcap_lookupdev()
             * chooses.
             */
            device = pcap_lookupdev(ebuf);
            if (device == NULL)
                error(&quot;%s&quot;, ebuf);
#endif
        }
......
</code></pre><p>Depends on whether <code>HAVE_PCAP_FINDALLDEVS</code> macro is defined, <code>tcpudmp</code> will pick a &quot;default&quot; network interface to do capture work. Interesting, right? Since all is set, let&apos;s begin this whirlwind tour of <code>tcpdump</code>.  </p>
<p>P.S., this manual refers code and documents heavily from <a href="https://www.tcpdump.org/" target="_blank">tcpdump</a> website, and kudos to <code>tcpdump</code> guys! If the small booklet gives you some help, please give it a star in <a href="https://github.com/NanXiao/tcpdump-little-book" target="_blank">github</a>. :-)</p>

                                
                                </section>
                            
    </div>
    <div class="search-results">
        <div class="has-results">
            
            <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
            <ul class="search-results-list"></ul>
            
        </div>
        <div class="no-results">
            
            <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
            
        </div>
    </div>
</div>

                        </div>
                    </div>
                
            </div>

            
                
                
                <a href="posts/the-format-of-tcpdump-command.html" class="navigation navigation-next navigation-unique" aria-label="Next page: The format of tcpdump command">
                    <i class="fa fa-angle-right"></i>
                </a>
                
            
        
    </div>

    <script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({"page":{"title":"Introduction","level":"1.1","depth":1,"next":{"title":"The format of tcpdump command","level":"1.2","depth":1,"path":"posts/the-format-of-tcpdump-command.md","ref":"posts/the-format-of-tcpdump-command.md","articles":[]},"dir":"ltr"},"config":{"gitbook":"*","theme":"default","variables":{},"plugins":[],"pluginsConfig":{"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"}},"file":{"path":"README.md","mtime":"2019-06-21T08:28:26.527Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2019-06-21T08:28:30.686Z"},"basePath":".","book":{"language":""}});
        });
    </script>
</div>

        
    <script src="gitbook/gitbook.js"></script>
    <script src="gitbook/theme.js"></script>
    
        
        <script src="gitbook/gitbook-plugin-search/search-engine.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-search/search.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-sharing/buttons.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
        
    

    </body>
</html>

